Abstract

Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels. However, no easy methods exist to classify these exploits into meaningful categories and to accelerate diagnosis as well as detailed analysis. To address this need, we present \codename, which recognizes both control-flow-hijacking, and data-only attacks by combining approximate control-flow integrity, fast dynamic taint analysis and API sandboxing schemes. Once it detects an exploit incident,\codename generates a succinct data representation, called an exploit skeleton}, to characterize the captured exploit. \codename then classifies the captured exploits into different exploit families by performing distance computing on the extracted skeletons. To evaluate the efficiency of\codename, we conduct a field test using exploit samples from public exploit databases, such as Metasploit, as well as wild-captured exploits. Our experiments demonstrate that \codename is a practical system that successfully detects and correctly classifies all these exploit attacks.